BOVPN Virtual Interface Tunnel Does Not Establish with a Third‑Party Device

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

A branch office VPN (BOVPN) virtual interface (VIF) tunnel might fail to establish when the remote endpoint is a third‑party firewall and the required parameters do not match. Third‑party vendors might implement route‑based VPNs differently or use configurations incompatible with VIF-based tunnels. These differences can cause mismatched expectations for traffic selectors, tunnel interfaces, or endpoint identification (ID).

Differences in Phase 1 or Phase 2 encryption, authentication, lifetime, or perfect forward secrecy (PFS) settings can also cause proposal negotiation to fail. When either endpoint rejects the proposed parameters, the tunnel does not complete negotiation and remains in a Failed or Negotiating state.

Symptoms

A BOVPN virtual interface tunnel failure with a third‑party device typically presents one or more of these symptoms:

• The BOVPN tunnel remains in a Negotiating state.
• The third‑party device reports proposal rejection.
• Firebox log messages indicate traffic selector or proposal errors. Example:
  TS_Unacceptable Received N(NO_PROPOSAL_CHOSEN)

Diagnostic Steps

On both tunnel endpoints, complete these steps:

1. Confirm that the tunnel is configured as route‑based.
2. Compare Phase 1 and Phase 2 encryption, authentication, and PFS parameters.
3. Validate traffic selectors and ID types and values on both sides of the tunnel. For example, IP address or FQDN.
4. Verify that the pre-shared key and IKE version match on both tunnel endpoints.

On the Firebox, the remote endpoint type must be Cloud VPN or Third‑Party Gateway, unless the third‑party device uses generic routing encapsulation (GRE) over IPSec.

Possible Causes and Solutions

Possible Cause	Solution
The third‑party device uses a policy‑based BOVPN configuration.	Reconfigure the third‑party device and Firebox to use a route‑based BOVPN. For more information, go to: Incorrect BOVPN Remote Endpoint Type Selected Locally-Managed: Manual Branch Office VPN Tunnels Cloud-Managed: Manage BOVPNs for Cloud-Managed Fireboxes
Phase 1 or Phase 2 proposal parameters do not match on tunnel endpoints.	Align encryption, authentication, and PFS settings on both tunnel endpoints. For more information, go to: BOVPN Phase 1 Negotiation Fails Due to Encryption or DH Group Mismatch Phase 2 Proposal or PFS Mismatch in BOVPNs Locally-Managed: Configure Phase 1 and Phase 2 Settings Cloud-Managed: Configure BOVPN Security Settings
The endpoint ID type or value does not match on tunnel endpoints.	Configure matching ID types and values on both sides of the BOVPN tunnel. For more information, go to: Locally-Managed: Manual Branch Office VPN Tunnels Cloud-Managed: Manage BOVPNs for Cloud-Managed Fireboxes
The pre-shared key or IKE versions do not match on tunnel endpoints.	Configure matching pre-shared keys and IKE versions on both tunnel endpoints. For more information, go to: BOVPN Tunnel Fails Because of IKE Version Mismatch Pre‑Shared Key Mismatch Prevents BOVPN Tunnel Establishment Locally-Managed: BOVPN Virtual Interface Examples Cloud-Managed: Manage BOVPNs for Cloud-Managed Fireboxes

Related Topics

Manual Branch Office VPN Tunnels

About Firebox Logging and Notification (Locally-managed Fireboxes)

Monitor Traffic on Fireboxes and FireClusters (Cloud-managed Fireboxes)